The New Rules Of Cybersecurity

The man who built the U.S. Army’s cyber command says online threats are going get worse before they get better. But that doesn’t mean leaders are powerless. To win, focus on your culture and your people to create a sense of urgency to protect what you value and ensure you’re ready for the threats focused on you. Some hard-learned lessons from the war for cyberspace.

My 37-year career in the U.S. Army spanned the digital revolution we continue to experience today. From being assigned to the Army’s first digitized division to leading the army’s human resources command during a time of war, to creating, in 2010, a global command with 17,000 cyber professionals charged to not only conduct defensive operations, but when directed, to be able to do offensive operations, I witnessed and helped lead the transformation of our military into a new age.

Over that time, the ability of cyber threats to try to take advantage or limit America’s ability to conduct uninterrupted operations—both militarily, and commercially—increased dramatically. Yet, until recently, many leaders assumed that, despite the occasional interruption, these adversaries would not have the ability to seriously interrupt operations. We took our freedom to operate in cyberspace for granted. That assumption is no longer true. There is a growing threat from sophisticated cybercriminal networks and individual actors that might have a political cause or something that they want to try to impact through cyberspace. Most significant are the growing cyberthreats from nation-state actors—especially Russia, China, Iran and North Korea—that have the potential to commit not only cybercrime or espionage, but launch disruptive and potentially destructive attacks.

Iran’s capability, in particular, has grown significantly from a 2012 attack on the U.S. financial sector. Iran is no longer only taking a disruptive approach; it now has destructive capability as well. North Korea has also demonstrated a growing ability to successfully target institutions around the world. America’s sophisticated, networked critical infrastructure—our financial institutions, our electrical grid, our telecommunications sector—also make the U.S. potentially vulnerable to nation-states as well as cyber-terrorists who have a clear intent to do us harm, but only lack capability for the time being.

“YOU WILL NEVER ELIMINATE ALL RISKS BUT YOU CAN FOCUS ON WHAT
MATTERS MOST TO REDUCE RISK.”

Our ability to operate in cyberspace from now on will be predicated on our ability to defend and conduct appropriate cybersecurity—if we expect military operations to continue, or we expect businesses to bring the value that we intend.

Cybercrime Will Continue to Explode
The bad news is that it is going to get worse before it gets better. Cybercrime is going to explode as an industry. In addition to today’s sophisticated cybercriminal networks, technology is converging to the point where any individual can easily take advantage of tools to do something to others that would put them at risk. Almost half of all breaches result from criminal or malicious attacks already, and as the tools to commit cybercrime become easier for individuals to use, it will create an increased number of new opportunists seeking new markets and new partners, creating more threats across the world.

The Internet of Things (IoT) in particular brings increased opportunity for cybercriminals. IHS forecasts that the number of IoT devices will grow from 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025.

It is already relatively simple for even unsophisticated adversaries to take control of IoT devices and harness their computing power as part of a botnet, significantly increasing their ability to disrupt a company’s online operations by flooding its network with data in a denial of service attack. But the growth of IoT also dramatically increases the threat of direct penetration of corporate networks, especially through supply chains and third-party relationships.

As IoT and frictionless machine-to-machine data flow becomes ubiquitous, corporate leaders will see their cyber risks grow substantially. Where is all that data from all those IoT devices going? Who has access to the data in your company? Are those vendors and customers doing enough to secure their networks? These are the questions that will keep CEOs up at night and requires attention now.

Healthcare is a good example. The $28 billion global market for electronic medical records is expected to surpass $36 billion by 2021, according to Kalorama Information. All this sensitive personal information is a rich target for cybercriminals, and the number of IoT devices, including wearables and implants, is making it ever more vulnerable.

Lieutenant General (Ret) Rhett Hernandez was the first commander of the U.S. Army Cyber Command, responsible for the operations and defense of all Army networks and transforming the Army’s approach to cyberspace. He is part of the Thayer Leadership Development Group at West Point and serves as the West Point Cyber Chair to the Army Cyber Institute. He serves
on a wide range of boards and as president of CyberLens, LLC, focusing on leadership, strategic planning and risk management.